MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f758dbb63208445f8ed1f1d8bb648759ba6f1b8116b6ecd2ef996f8be008128b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f758dbb63208445f8ed1f1d8bb648759ba6f1b8116b6ecd2ef996f8be008128b
SHA3-384 hash: 19daa10528ea7f3587054d418c5df553aef0334d35a5e80761824371a6491f43011d61e39de83f70411e81232b6d40e9
SHA1 hash: fdd107e8261be425264c7863b07cdbaec37a23cf
MD5 hash: 9a057309180e58b6f230abfddd69d641
humanhash: twenty-lemon-speaker-twenty
File name:RFQ STS3780082024.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:816'640 bytes
First seen:2024-08-28 10:11:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 12288:J4psMlFytfdaeytmhMkYdqBrpBpYys5GQypWGyxoL4iL0sa0FUpH+UaRQ4HX3EyU:J4LeOdqBVBgoDyRiAgFUpeUQR33z6p
Threatray 49 similar samples on MalwareBazaar
TLSH T1850501682605EA13DAA597F509F0F278137C6EC9B902E2139FD8BDEBB836F005D45187
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 00e8f0d4ccc0cc00 (4 x Formbook, 2 x SnakeKeylogger, 1 x Loki)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
371
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ STS3780082024.exe
Verdict:
No threats detected
Analysis date:
2024-08-28 10:13:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/64cf376f-c7f2-4706-ae62-c1322d3aa381

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.20431.21216.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66cef7f4f1a57bfb70912cf5
Tags:
Execution Stealth Swotter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/66cef7f5b854095a010b824d/reports/0856d515-44aa-47d3-8194-9eb7e0293251/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f758dbb63208445f8ed1f1d8bb648759ba6f1b8116b6ecd2ef996f8be008128b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff54eaf7-f40c-4fa3-a6b5-f8b1e042eeba
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1500397
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1500397 Sample: RFQ STS3780082024.exe Startdate: 28/08/2024 Architecture: WINDOWS Score: 100 22 Malicious sample detected (through community Yara rule) 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected FormBook 2->26 28 7 other signatures 2->28 7 RFQ STS3780082024.exe 4 2->7         started        process3 file4 20 C:\Users\user\...\RFQ STS3780082024.exe.log, ASCII 7->20 dropped 30 Writes to foreign memory regions 7->30 32 Allocates memory in foreign processes 7->32 34 Adds a directory exclusion to Windows Defender 7->34 36 Injects a PE file into a foreign processes 7->36 11 powershell.exe 23 7->11         started        14 MSBuild.exe 7->14         started        16 MSBuild.exe 7->16         started        signatures5 process6 signatures7 38 Loading BitLocker PowerShell Module 11->38 18 conhost.exe 11->18         started        process8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f758dbb63208445f8ed1f1d8bb648759ba6f1b8116b6ecd2ef996f8be008128b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f758dbb63208445f8ed1f1d8bb648759ba6f1b8116b6ecd2ef996f8be008128b/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-08-27 17:40:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=65mnxnrsbbcf7dwr6hmlwzehlg5g6g4bc23ozuxptfxyxyaickfq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1414599021af8f143148a590ed56e6a1d0fa3eee7fa0c2eb78c32866b84a4954
Formbook
34d5d0d4983c49782a7db66d1deb8c22b170de4f154e343d2fbc12e460727b96
Formbook
642475685812ab7bbc355bb0012722266572aeadc8af18e4a4b0498229deb385
Formbook
73c43276a112f5446ab22153b11ce0df6a6232709233ee12402402acb2584d56
Formbook
9b5230cce5bbf44aa307fc0be0a6f17cb2c3a4c60368abbe1a1fb420c29f131c
Formbook
b1ca66c8cc7404a8093a85dc99ba848d7b4b307e463dd930ec91c509e1e81df2
Formbook
ccc6905f505b5e8c74c51e4774d278e9dadbd2c3238c0345db82f251070542af
Formbook
f758dbb63208445f8ed1f1d8bb648759ba6f1b8116b6ecd2ef996f8be008128b
Formbook
ffd3edf7463b0935071c49b75cf9c9b63720f1e114084bce2747ba6578e6e83c
Formbook
+ 39 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/240828-l8g9bswdmk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/64987755-608f-4c87-a7d2-e9df22ff96b6
Unpacked files
SH256 hash:
97ac3d0df71d8d2566ed83ba7e45d1ad8ffa9c8018307e89e6a75afdc03bfb74
MD5 hash:
d479d5e000c16b4eba116fc1b2015b28
SHA1 hash:
c9f8f7fb31eeb7b9f52b6e637bfad6ec93b60437
Link:
https://www.unpac.me/results/811c3337-6627-4909-8d34-fa01c47e8bb3/
SH256 hash:
c7965f9601a87fc6015d61ad2a38edfa333023f62b041d1e3fd72c9728d8a24f
MD5 hash:
473fa4e825eb6e59751a5a6a08d3ac0d
SHA1 hash:
190a2fade997a0aad017bc02d711793f78c956c7
Link:
https://www.unpac.me/results/811c3337-6627-4909-8d34-fa01c47e8bb3/
SH256 hash:
66c34fb52ab239fdcbd5d61f0b540e45399b986a5379398e0d72014778635226
MD5 hash:
6faa7caee083f4dba03910c95ad29237
SHA1 hash:
8c21b7b035471ed301ef6138c657e865f596f3d3
Link:
https://www.unpac.me/results/811c3337-6627-4909-8d34-fa01c47e8bb3/
SH256 hash:
b181b3f3a4cd57f6c4ed3ce4188961a1ceaa3ef2bc6c0d61a23978b5a70875e1
MD5 hash:
fd2cca3caa34c3c718884d1938aa2208
SHA1 hash:
322bda5490e432a0edbf351438dc6fbf81be60f7
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/811c3337-6627-4909-8d34-fa01c47e8bb3/
SH256 hash:
f758dbb63208445f8ed1f1d8bb648759ba6f1b8116b6ecd2ef996f8be008128b
MD5 hash:
9a057309180e58b6f230abfddd69d641
SHA1 hash:
fdd107e8261be425264c7863b07cdbaec37a23cf
Link:
https://www.unpac.me/results/811c3337-6627-4909-8d34-fa01c47e8bb3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f758dbb63208/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f758dbb63208445f8ed1f1d8bb648759ba6f1b8116b6ecd2ef996f8be008128b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f758dbb63208445f8ed1f1d8bb648759ba6f1b8116b6ecd2ef996f8be008128b

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments